Network View

In a classic view of a multi-networking environment, a firewall
or router provides connectivity between one or more networks.
Depending on how access control is configured on the firewall or
router, communication is allowed to pass between the networks. For
example, consider the following figure, which illustrates a classic
view of the multi-networking scenario.

In the figure, a corporate network is connected to the Internet,
allowing clients access to the Internet. A perimeter network (also
known as a DMZ, demilitarized zone, or screened subnet) is
connected to the corporate network and to the Internet, allowing
access to its resources.

The relationships between the networks can be defined as
follows:

Clients on the corporate network can access the Internet.

Computers on the Internet cannot access the corporate network
clients.

Clients on the corporate network can access resources on the
perimeter network.

Clients on the Internet can access resources on the perimeter
network.

You can use Forefront TMG to define network rules (FPCNetworkRule objects),
thereby allowing access between the networks. When you do so, you
define not only whether the networks are connected, but also how
they are connected. In this way, you establish the network access
policy between the networks.

The following figure illustrates the concept of network access
policy. Here, network rules have been configured to allow network
access between the same networks shown in the previous figure.

In other words, network rules define the relationships between
the networks as follows:

A routing relationship is defined between the branch office and
the headquarters. A routing relationship allows traffic between the
networks. Routing relationships are bidirectional and do not call
for address translation.

A network address translation (NAT) relationship is defined
from the corporate network to the perimeter network. NAT
relationships are unidirectional and unique. Therefore, no
relationship can exist from the perimeter network to the corporate
network.

A NAT relationship is defined from the corporate network to the
Internet. Again, no relationship exists from the Internet to the
corporate network.

Finally, a NAT relationship is defined from the perimeter
network to the Internet.

The general guideline is that when you publish IP addresses, you
define a routing relationship. If you do not want to expose IP
addresses, you define a NAT relationship.

Administrator's Role

The administrator's tasks include establishing Forefront TMG
rules and policies, and configuring the cache. Forefront TMG rules
determine how Forefront TMG clients communicate with the Internet
and the type of communication that is allowed. These rules also
determine how servers on your local network communicate with
Internet users.

Four items are shown in the network view figure:

A remote computer from which an administrator manages Forefront
TMG.

A Forefront TMG computer, whose components are shown in the
Server View figure.

Clients and servers that use the Forefront TMG firewall and
cache capabilities.